Encryption Considerations

Although it’s very difficult for a non-expert to judge the relative
security of the various encryption products available for laptops, you can
safely assume that any you’re considering are secure enough for most
laptop applications. (For really, really critical information, you need
the advice of an expert to select the right product for your needs.) The real
differences between the products are in the auxiliary parts, such as key
management, ease of use, and general bells and whistles. There’s a good
bit of difference in these areas, and you’ll probably end up making your
choice based on those factors.

Like any security measure, laptop encryption must be applied intelligently to
be effective. Among other things, this means that keys must be kept secure
(preferably physically away from the computer except when in use), passwords are
properly chosen and protected, and no unencrypted copies of protected files are
kept on the computer.

With laptops, one of the most common faux pas is to keep written copies of
the passwords, copies of the keys, and security devices such as USB drives in
the case with the machine. That approach is convenient for the user, but
it’s also convenient for any thief who snags the computer in its case.

Key Management

Of course, bad guys aren’t the only ones who get locked out by
encryption. If the encryption key is lost, no one can get access to the disk.
Therefore, any encryption needs a system of key management.

Key management should include keeping the keys secure. It should also include
making and keeping backup keys that can be used to unlock the computer in the
event of a problem. The backup key can be a copy of the original key, or it can
be a separate "administrator’s key" that can unlock the disk
when the original key isn’t available. In fact, it’s a good idea for
the enterprise to have two separate key management accounts (suitably
protected), to be sure that keys can be recovered if needed.

Windows EFS provides an elaborate key-management system that includes a
separate key for a Data Recovery Authority (usually a special administrator
account). It requires that a data-recovery policy, including a designated Data
Recovery Authority, be in place before EFS is enabled.

Two-Factor Authentication

A number of encryption products, such as PGP’s Whole Disk series,
support two-factor authentication, using an external token such as a smartcard
or a flash drive in addition to—in some cases, in place of—a
password. By keeping the token separate from the computer, preferably on his or
her person, the user provides an additional level of security for the
system.

Some other encryption tools, such as Windows EFS and Seagate’s Momentus
FDE, also support biometric identification schemes such as fingerprint readers.
However, these are almost always third-party add-ons. In the case of EFS,
Microsoft provides an API and the hooks to allow third-party vendors to write
biometric or other authentication applications and connect them into EFS.

Be Sure to Test the Product

Theoretically, Windows encryption products should work with any Windows
applications on any Windows system. But if it doesn’t work with your
particular combination, your data may be irretrievably lost. For that reason,
you should take the time to test a product thoroughly before rolling it out in
your organization. Be especially sure that files will decrypt properly and that
keys are securely handled and recoverable.